Imagine a world where your organization is constantly at the risk of a cyber-attack, yet no solution seems fully secure. In this episode of Innovation In Compliance, host Tom Fox and guest Steve Horvath explore the complex landscape of supply chain cyber risk management. They explore the high-profile breaches of Home Depot and Target, as well as the critical importance of frameworks like the NIST Cybersecurity Framework. Steve delves into the challenges faced by organizations, the need for effective risk management strategies, and the evolving landscape of cybersecurity in public and private sectors.
Steve Horvath is a seasoned cybersecurity expert who has spent nearly two decades at Telos, a prominent cybersecurity firm focused on protecting government and industry networks. Since joining Telos in 2006, Steve has been instrumental in developing cybersecurity strategies and services for various elements of the U.S. federal government, including the intelligence community and the Department of Defense. Today, he leads the way in driving compliance and risk management initiatives with a focus on innovative solutions like Xacta.
You’ll hear Tom and Steve discuss:
- Telos’ platform, Xacta, began as a web-based application focused on facilitating the rigorous compliance activities of federal standards, and has since evolved into a sophisticated platform for managing cybersecurity risks.
- Cybersecurity risk is unique and highly challenging, and unlike other forms of risk, it doesn’t lend itself to transference. Insurance policies won’t save an organization from a devastating cyber attack.
- Many organizations, particularly public ones, need to shift their mentality from accepting some level of risk to striving for robust cybersecurity operations that minimize risk as much as possible.
- Education at the board level about the threats and implications of cybersecurity is a crucial yet often overlooked factor. The conversation around this is gaining traction, with initiatives such as the SEC’s rule about having a board member with a cybersecurity background.
- The Home Depot and Target hacks brought widespread attention to cybersecurity risks, highlighting the need for organizations to be proactive in managing threats and vulnerabilities.
- The NIST Cybersecurity Framework provides a practical and easily understood framework for organizations to assess and improve their cybersecurity posture. It enables effective communication between security operators and the board, fostering a common language and understanding.
- Supply chain cybersecurity is a critical concern, particularly for software and IT hardware sourcing. Having a software bill of materials and understanding the ingredients within the software helps organizations assess their exposure and potential vulnerabilities.
- Network attack services refer to understanding an organization’s attack surface and identifying potential points of ingress or exfiltration of data. Mitigating risks, such as phishing attacks, requires robust security education programs for users.
- Creating an actionable cyber intelligence strategy involves having the right stakeholders and roles within the organization, selecting a suitable framework (such as NIST or ISO standards), and ensuring continuous validation and improvement of cybersecurity measures.
KEY QUOTES:
“You really have to do exceptional cybersecurity operations, and the best way to influence cybersecurity operations… is having some teeth behind a set of conditions and compliance requirements that guide you toward making the best decision…” – Steve Horvath
“The Risk Manager framework out of NIST [Cybersecurity Framework]… maps very easily and we find that it really allows for the security operators, the folks at the practical level doing the work. It gives them a language that they can articulate all the way up to the board and so everybody’s kind of speaking the same language.” – Steve Horvath
“A good security education program for your users tends to be a more dramatic impact than people realize. If you can teach your users not to click on links and emails or open documents, you’re way ahead of the gate.” – Steve Horvath
Resources:
